Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122893 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id CDAF31AD8EA for ; Tue, 2 Apr 2024 19:40:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712086866; bh=pIYfJ8gtdNl6xbb7eLv5BgzDIyl3YSCYl8x69yPEoBU=; h=Date:Subject:To:References:From:In-Reply-To:From; b=Bfd7j7xnJWytYQNk8Hp9w1VAFk7vo2czIcIvTGFI/EAAVRRZ765ZWKFpek2a+p2fE ON0FlU2kAkyNHPrCsW/cQGAe6GFe2oi6LcFwyZpOFYict5VhNOzFTfU7bDtG0NZ2rv /8R1zxQfiaUuml0JluM9VgAFvo01btQUxJWdIYxV+M1Hn4N05HRZJ+2tTEi0LrJzr7 +IWM8hZN+sbzZRtezZeIP1s2JrjHUdm1tioxfisRsk46SBNTnFbQLJWn/QLsvSZbNM ijgL8T8rrAVTxMx5x1j4dOcXRvtek/wjtaW/i2sZCZy9bw7vNU8UBOdMwqixn4VHig K9sTDTlQKxb6g== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A08FB1807C2 for ; Tue, 2 Apr 2024 19:41:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fhigh2-smtp.messagingengine.com (fhigh2-smtp.messagingengine.com [103.168.172.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 2 Apr 2024 19:41:02 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfhigh.nyi.internal (Postfix) with ESMTP id D08F911401B0 for ; Tue, 2 Apr 2024 15:40:33 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 02 Apr 2024 15:40:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rwec.co.uk; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1712086833; x=1712173233; bh=YYxgGKi9jZ 3/So7WuYol7qi/tBS6mD2y2ozHa+pAk9k=; b=alRVkWXZ4JB1b8ZGt/QqRyfqBP sTZnUCn5t60wD3BBOaVZeSOwWqpskBBBXXjhKV9dc4A3Zz5/H1VCdVZuNX9uYDXg +Qp1q0c7EM7Lsazr1DaDIhZFvvTo74CZGAImO5MR0UxbPN7Cs7kuoCMRv2o97/ym xczgLSOW0dY6+SwPBe9nR3lx/beGqglXBO4iDrpaZC7HijHMFX4+pY1vpd7YpkDs BxouYoHsaOhQA3jXoHwy0MyyW+eVe765IRRwvVjW5s+udJXGkquIIpiqM73JWF8t R+l3Ps+Jkxkx7ckirQ5JcSHIOqNY8i++WUmlb96pyfJKFFWbUqKM5A6bFekw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712086833; x=1712173233; bh=YYxgGKi9jZ3/So7WuYol7qi/tBS6 mD2y2ozHa+pAk9k=; b=G9jwSTAhrCSREm/Ec+jtW9x0LcbHH5AAUM6msdoM9Inv BqkGTpfq0mcpB75RVt618i2E9Uwf95T8aYOEVC1fupsoGyCgAmbvscGhECWGjmMY iqgmK+/CWGjVTgm+lZ6n4kjNFRDK95RZNXp8x/m6ep8RR2e06SMs0q2B25YDGdRb hsi2vJjpZPnsQjSdQNy4NYuA5v4ZuFh7Qyk46Kis9cRbi3U8AyrC7yho+YgKBxoF C4J6YPfGZ+Bq0yt/n8vZfK+VodbqLBmgCTqGFmQksy/oqWcG2DFb/ll7Btbn+dn5 q1f6bLUS3IyS8/vk6Vj8LD4nkFwtyebxG5FHqL/uCw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudefvddgudeflecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurheptgfkffggfgfuvfhfhfgjsegrtd erredtvdejnecuhfhrohhmpedftfhofigrnhcuvfhomhhmihhnshculgfkoffuohfrngdf uceoihhmshhophdrphhhphesrhifvggtrdgtohdruhhkqeenucggtffrrghtthgvrhhnpe ehteelieeigfeuudeiueeiffdvveehudeufeekjeeugffffedtiedtgeettdelteenucev lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehimhhsohhprd hphhhpsehrfigvtgdrtghordhukh X-ME-Proxy: Feedback-ID: id5114917:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Tue, 2 Apr 2024 15:40:33 -0400 (EDT) Content-Type: multipart/alternative; boundary="------------FwSbTM052ax5wJzryE081AgF" Message-ID: <089e6466-540b-4d86-8cf4-1a6b5506efed@rwec.co.uk> Date: Tue, 2 Apr 2024 20:40:32 +0100 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] Requiring GPG Commit Signing To: internals@lists.php.net References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net> <33406173-693c-44c2-a378-fff49751f3b4@rwec.co.uk> Content-Language: en-GB In-Reply-To: From: imsop.php@rwec.co.uk ("Rowan Tommins [IMSoP]") This is a multi-part message in MIME format. --------------FwSbTM052ax5wJzryE081AgF Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 02/04/2024 20:02, Ilija Tovilo wrote: > But, does it matter? I'm not sure we look at some commits closer than > others, based on its author. It's true that it might be easier to > identify malicious commits if they all come from the same user, but it > wouldn't prevent them. It's like the difference between stealing someone's credit card, and cloning the card of everyone who comes into the shop: in the first case, someone needs to check their credit card statements carefully; in the second, you'll have a hard job even working out who to contact. Similarly, if you discover a compromised key or signing account, you can look for uses of that key or account, which might be a tiny number from a non-core contributor; if you discover a compromised account pushing unsigned commits, you have to audit every commit in the repository. I agree it's not a complete solution, but no security measure is; it's always about reducing the attack surface or limiting the damage. Regards, -- Rowan Tommins [IMSoP] --------------FwSbTM052ax5wJzryE081AgF Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
On 02/04/2024 20:02, Ilija Tovilo wrote:
But, does it matter? I'm not sure we look at some commits closer than
others, based on its author. It's true that it might be easier to
identify malicious commits if they all come from the same user, but it
wouldn't prevent them.


It's like the difference between stealing someone's credit card, and cloning the card of everyone who comes into the shop: in the first case, someone needs to check their credit card statements carefully; in the second, you'll have a hard job even working out who to contact.

Similarly, if you discover a compromised key or signing account, you can look for uses of that key or account, which might be a tiny number from a non-core contributor; if you discover a compromised account pushing unsigned commits, you have to audit every commit in the repository.

I agree it's not a complete solution, but no security measure is; it's always about reducing the attack surface or limiting the damage.

Regards,

-- 
Rowan Tommins
[IMSoP]
--------------FwSbTM052ax5wJzryE081AgF--